Veilige software. Wie voelt zich verantwoordelijk?

Transcription

1 Veilige software Wie voelt zich verantwoordelijk?

2 Praktijkvoorbeeld (1/3) Een willekeurige Directeur ICT Zijn er incidenten? Wat is de omvang? De beheerorganisatie spreekt over een web application firewall? Wat zegt de toezichthouder? Hoe gaat dit mij helpen?

3 Praktijkvoorbeeld (2/3) Harde eis? (ASR situatie) DNB toetsingskader security monitoring (COBIT + Assurance Guide) IT controls ISAE3402 certificeringen IT controls jaarrekening controle Solvency II Risk framework En uw bedrijf? (PCI DSS?)

4 Praktijkvoorbeeld (3/3) Auditors in de zaal? Toelichting?

5 IT Assurance Mogelijke oorzaken onvoldoende aandacht: Gebrek aan normenkaders Geen goede metrics Nog onvoldoende kennis bij auditors Testen security requirements afdoende

6 Raakvlakken COBIT

7 Assurance framework OpenSAMM

8 OpenSAMM onderdelen Maturity Model Objective Activities Results Success Metrics Costs Personnel Related Levels Assessment Worksheet Scorecard

9 OpenSAMM IT controls

10 OpenSAMM onderdelen Objective e.g. Measure relative value of data and software assets and choose risk tolerance Doel in lijnbesturing als: De klant erom vraagt (1 e lijns) Relatie met bedrijfsstrategie (1 e lijns) Rapportage risk framework (2 e lijns) Periodieke toetsing toezichthouder (3 e lijns)

11 OpenSAMM onderdelen Activities e.g. A. Classify data and applications based on business risk B. Establish and measure per classification security goals Opnemen in IT control framework (incl. Objective) Uitgebreide toelichting voor implementatie

12 OpenSAMM onderdelen Results e.g. Customized assurance plans per project based on core value to the business Organization wide understanding of security-relevance of data and application assets Better informed stakeholders with respect to understanding and accepting risks Opnemen in resultaat afspraken / beoordeling van: Informatie Manager Enterprise Architect?

13 OpenSAMM onderdelen Success Metrics e.g. >90% applications and data assets evaluated for risk classification in past 12 months >80% of staff briefed on relevant application and data risk ratings in past 6 months Performance indicator lijn / proces besturing SLA Continu verbeteren Visueel Management

14 OpenSAMM onderdelen Assessment e.g. Are most of your applications and resources categorized by risk? Are risk ratings used to tailor the required assurance activities? Does most of the organization know about what s required based on risk ratings? 0-meting en Self-Assessment Periodieke toetsing (externe) auditors Opnemen in IT control framework

15 Security inbouwen Toepassen beheersmaatregelen: abuse cases security requirements risk analysis risk-based security test code review (tools) risk analysis penetration testing security operations requirements and use cases architecture and design test plans code test and test results feedback from the field Gary McGraw

16 OWASP The Open Web Application Security Project

17 Wat is OWASP? Open Web Application Security Project Open group focused on understanding and improving the security of web applications and web services. Hundreds of volunteer experts from around the world. Go download the guides right now!

18 Wat is OWASP? non-profit, volunteer driven organization all members are volunteers all work is donated by sponsors provide free resources to the community publications, articles, standards testing and training software local chapters & mailing lists supported through sponsorships corporate support through financial or project sponsorship personal sponsorships from members

19 OWASP projects Uitstekende documentatie en tools voor implementeren beheersmaatregelen!!! abuse cases security requirements risk analysis risk-based security test code review (tools) risk analysis penetration testing security operations requirements and use cases architecture and design test plans code test and test results feedback from the field

20 What is OWASP? project based AppSec FAQ project CLASP project Guide project Testing project Top Ten project WebGoat project WebScarab project

21 OWASP Guides main guides development code review testing some key areas: threat risk modeling authentication, authorization session management input data validation error handling, auditing and logging 23

22 OWASP WebGoat provides: an educational tool a test case for security tools what is it? a very vulnerable J2EE web application based on Tomcat and JDK 1.5 oriented to learning: easy to use illustrates credible scenarios teaches realistic attacks, and viable solutions 24

23 WebGoat Demo Film 25

24 OWASP WebScarab analyze and manipulate HTTP/HTTPS traffic written in Java multiple uses developer: debug client/server communication security analyst: identify vulnerabilities technical tool focused on software developers extensible plug-in architecture open source; easy to extend core system 26

25 OWASP Top Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards

26 Injection Any execution or interpretation as a command, of user data by the web application or backend systems, could open an attack vector. system calls call to external programs ( , pdf writer, etc.) SQL queries LDAP queries... 28

27 Injection check calls to external resources check data flow: any connection with outside data? check allowed data input for accessed resources Defense-in-Depth resource access: impersonation trusted subsystem hybrid role mapping Coding policy! 29

28 URL Query String Form Fields Hidden Fields

29

30 Unvalidated input common input tampering attacks: forced browsing command insertion cross site scripting buffer overflows SQL injection cookie poisoning hidden field manipulation 32

31 Unvalidated input Hard to filter: a lot of 'active' content and different encodings. Where to start? canonicalization positive vs negative input validation use of centralized component or library for input filtering coding policy! 33

32 Unvalidated input allow known good data reject known bad data make potentially malicious data safe input constrain reject sanitize validate type, format, length and range (use regular expressions for string data) for example, stripping null characters or spaces 34

33 OWASP Local Chapters meetings presentations develop workshops and setup focus groups for novices, professionals and experts free bread & drinks?!?! mailing lists presentations & groups vendor neutral environments open forums for discussion people and knowledge network 35

34 Vragen?